Security researchers discovered a fake WhatsApp API package on npm that steals developer credentials, raising fresh alarms about the growing risks facing the open source software supply chain. The malicious package impersonated a legitimate WhatsApp API library and actively harvested sensitive information from unsuspecting developers who installed it, highlighting how threat actors continue to exploit trust in widely used developer ecosystems.
As reported by The Hacker News, the package, named “lotusbail,” has been downloaded over 56,000 times since it was first uploaded to the registry by a user named “seiren_primrose” in May 2025. Of these, 711 downloads took place over the last week. The library is still available for download as of writing.
The fake WhatsApp API package targeted developers looking to integrate WhatsApp functionality into applications, particularly those building messaging tools, customer support systems, or automation services. By presenting itself as a functional API library, the malicious npm package blended into legitimate development workflows, allowing attackers to quietly collect credentials and other sensitive data during installation or runtime. This incident highlights how developer focused attacks increasingly prioritize stealth and credibility over brute force techniques.
Researchers confirmed that the malicious package abused npm, one of the most widely used package registries in the software industry, where millions of developers rely on third party libraries to accelerate development. The attackers leveraged naming conventions and descriptions that closely resembled genuine WhatsApp related tooling, increasing the likelihood that developers would mistake the package for a legitimate dependency. Once installed, the fake WhatsApp API package executed code designed to exfiltrate credentials, exposing developers and their organizations to potential account compromise and downstream attacks.
Under the cover of a functional tool, the malware “steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor’s server,” Koi Security researcher Tuval Admoni said in a report published over the weekend.
“When you use this library to authenticate, you’re not just linking your application — you’re also linking the threat actor’s device,” Admoni said. “They have complete, persistent access to your WhatsApp account, and you have no idea they’re there.”
The discovery comes at a time when software supply chain attacks are becoming more frequent and more damaging. Unlike traditional malware campaigns that target end users directly, attacks on developer ecosystems can scale rapidly, allowing malicious code to propagate through applications, services, and production environments.
A compromised npm package can affect not just individual developers, but also businesses that deploy applications built on those dependencies, amplifying the overall impact.